| (see below for update about Android 6.0+) Depends on the phone and if they use passive or active probing [1]. I also do not see a way to disable it globally yet as it's currently in the Google Issue Tracker [2]. Some say it's meant to be passive by default however Android documentation doesn't specifically state this [3]. "The existence of an hidden function to start an active scan (reported here) suggests that the normal scanning function is indeed passive. This is to be taken with a grain of salt, though, as the Android documentation doesn't explicitly tell if the function WifiManager.startScan() is passive or not." [3] [1] https://nakedsecurity.sophos.com/2012/10/02/what-is-your-pho... [2] https://issuetracker.google.com/issues/36989646
Please do note this same issue exists with Bluetooth (in comments). [3] https://android.stackexchange.com/a/131446 edit
Looks like iOS randomizes the MAC address while scanning for WiFI networks since iOS 8 (should be noted that it says "may not always be the device's real (universal) address" [4]. [4] https://news.ycombinator.com/item?id=7864813 edit2
After some more reading supposed Android 6.0 solves this issue by randomizing the mac address as well, however the user in this blog tested it and was able to still get the original MAC address [5]. [5] https://urbanjack.wordpress.com/2016/03/04/game-over-for-wif... edit3
After even more reading it's kind of hard to tell what devices are affected and who isn't (Some say Google phones aren't affected and it's just OEM phones, however others claim that some Google phones are still affected by this issue). The only way to get this fixed globally is to have a security push to all supported versions that by default disables it globally then a user can enable it by choice. Considering the spaghetti mess of who is using it by default and who is not. edit4
I agree with many on that the MAC randomization isn't really a good idea because some networks assign IPs based on the MAC address and to address that issue only the probing/scanning packets have the spoofed MAC address. All a hacker would have to do is create a network with the spoofed SSID and get the user to connect with the real MAC address thereby circumventing the randomization technique. |
As you found out, this whole things is pretty unclear and it really depends on the phone/vendor (or combination vendor and software version) . While testing I've noticed some phones use their own MAC address every time (like my Nexus 5), while others change their MAC address. Changing the MAC address doesn't really help if they send the full probe request though, as you can still use the combination of ESSIDs a device is looking for as a way of fingerprinting them (the chances of someone else asking for the exact same list are quite small).
Also, in one of the cases where I noticed a device using different MAC addresses, it only changed the last part of the address, keeping the vendor ID the same, making identifying a device easier.